2005/06/15 LUA (Least-Privilege User Account, Limited User Account)

With the advent of Longhorn (later note, now called Vista), Microsoft is getting more serious about
security. Everyone (well, everyone but your typical Microsoft user)
knows what the problem is: Windows almost always runs with
admin privileges because it's basically impossible to run it
any other way. Longhorn intends to change that. Personally, I
don't think it's going to fly because the ingrained culture is going to
fight it and pervert it right back to insecurity, but that's
yet to be seen. Let's look at their intentions first.

Actually, before we do that, we need to get mention the other
LUA. Microsoft unfortunately overloaded this acronym. At
http://msdn.microsoft.com you'll find:

That has absolutely nothing to do with the LUA we're talking about here, but if you go Googling for LUA, you will find links to that other usage.

Back to least privilege: Unix folk understand this easily, because
this is the default for Unix users. A Unix user typically gets
almost no power. If you need to install programs that modify system
files, you'll need to gain root (admin) powers to do so. However,
many Unix programs can be installed and used by a specific non-privileged
user, simply because they don't need access to system files. Amusingly
enough, many Windows programs really don't need access to system files
either, but they are stupidly written. Most Windows programs
require write access to the "Program Files" directory and write their
registry keys to HKEY_LOCAL_MACHINE. They
COULD have been written to store data in the user's Profile
directory and use HKEY_CURRENT_USER for registry keys, but very few are.
Therefore they need admin priviliges to install.

Worse, they almost always need admin privileges to run. Windows
XP can (sometimes) detect that you need more privilege and pop up
a box asking for an administrative login and password. Feels
almost like Unix, doesn't it? Ayup, except that in XP this
doesn't work well and usually won't work at all: you might
get the program installed that way, but it's unlikely you'll
be able to actually use it because the problems just run too deep.

Longhorn intends to change that. Microsoft is telling
application developers to write for non-admin accounts whenever
possible. They've even eliminated the Power Users group: users
are going to be ordinary, least privilege accounts or full blown
administrators, and the developers are supposed to assume that
they won't be administrators unless they are really installing
system software. So that's the end of that: the developers
will rewrite all their code, Longhorn will be a smashing success,
and Microsoft will continue toward Galactic domination.

Yeah, right. That's not going to happen. Even Microsoft
knows the developers aren't going to rewrite much of anything.
They've had the tools to let developers use LUA accounts for
years and almost nobody does; Longhorn won't change anything.
They therefore have something else in the mix: AIM, or
Application Impact Management. This will sandbox the
app, and let it think it is happily writing in system
space. AIM instead will have given it a virtual copy
of what it wants to muck with, and will store that for the apps
use. Great idea? Maybe, but there's a flaw here: apps
can have deep dependencies on other data in system space, or
may really need access to the real system data. I'll bet
at least some apps will be broken by AIM.

But Microsoft realizes that, too. They have added a
"Protected Administrator" capability for installing software.
This is probably what Power User should have been: you
run as administrator, but applications you run as such
don't necessarily have the same privileges you do. An
app has to be "blessed" to get admin powers with this
feature turned on. I'm not convinced this is going to
work well, and the illusion of safety will probably
cause users to not use ordinary, non-empowered accounts. No
doubt everyone will use this Protected Admin function and
login with administrator accounts. How long will
it be before someone writes something that finds a way to
bless itself and/or other programs? I suspect it won't
be long, but then I'm the pessimistic sort.

I also bet that those who use the PA mode will end up "blessing"
any app that misbehaves in the slightest - in fact, I bet that
becomes standard tech advice: "Hmm, you say it isn't working? Have
you blessed the app?" so shortly it will make no difference whatsoever
- EVERYTHING will run with full privileges. Of course the (uninformed)
Unix/Linux world often does similar things: I see "chmod 777"
employed as a trouble-shooting technique far too often. But this
"blessing" is more like "chown root someapp; chmod 4755 someapp" - way more dangerous (though at least a little less than that would be).

A Wiki at (link) has a lot of good tips and resources
about things you can do now to improve admin access security.

Sun Oct 2 16:23:38 2005: 1145 BigDumbDinosaur

Finally got around to reading this -- too much work and not enough goof-off time, I guess.

Back to least privilege: Unix folk understand this easily, because this is the default for Unix users

Every time I have to work on a Windows 2000/XP box I get so annoyed with the stupidity of the "security model" that Microsoft has put together. Leave it to Redmond to take a basically simple concept of controlling and limiting ordinary user access and make it a gigantic and complicated mess. Why, oh why, are there so many user groups? In the UNIX world, users either have system privileges or they don't. In the overwhelming majority of cases, that is all that is needed! With Windows, things are the exact opposite: a confusing mish-mash of groups (power users, etc.) and no easy way to grant one specific privilege to one specific user. What a friggin' mess!

Of course, with the stupid design that Microsoft has developed, where ordinary software has to write keys into the registry using administrator level access, or in some cases, supplant or replace DLLs in the system subdir, you might as well run everyone as an administrator. Otherwise, you'll be constantly tripping over annoying little problems when the non-administrator tries to actually get any work done.

Fri Apr 4 12:43:16 2008: 3941 TonyLawrence

As I thought, Vista security is annoying the Windows folks, so know they are telling you how to disable it: (link)

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

I am a Kerio reseller. Articles here related to Kerio products reflect my honest opinion, but I do have an obvious interest in selling those products also.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.